Authorization

Note: Session and token objects require the same SAF authority.
Table 1. Authorization requirements for the token record create callable service
Action Source object (Copy only) Token / Object being created PKCS #11 role Authority required
Create or recreate token N/A Token SO (UPDATE)
Create object N/A Public object, except a CA certificate USER (UPDATE) or SO (READ)
Create object N/A Private object, except a CA certificate USER (UPDATE) or SO (CONTROL)
Create object N/A Public CA certificate object USER (CONTROL) or SO (READ)
Create object N/A Private CA certificate object USER (CONTROL) or SO (CONTROL)
Copy object Public object, except a CA certificate Public object, except a CA certificate USER (UPDATE) or SO (READ)
Copy object Public object or private object, except a CA certificate Private object, except a CA certificate USER (UPDATE) or SO (CONTROL)
Copy object Private object, except a CA certificate Public object, except a CA certificate USER (UPDATE)
Copy object Public object, where source or target or both are CA certificate objects Public object, where source or target or both are CA certificate objects USER (CONTROL) or SO (READ)
Copy object Public object or private object, where source or target or both are CA certificate objects Private object, where source or target or both are CA certificate objects USER (CONTROL) or SO (CONTROL) or both USER (UPDATE) and SO (READ)
Copy object Private object, where source or target or both are CA certificate objects Public object, where source or target or both are CA certificate objects USER (CONTROL) or both USER (UPDATE) and SO (READ)
Note: